Friday, July 23, 2010

Police knew prior to 9-11 of "Coming Event"

Prior to September 11, 2001, I owned rental properties in Stafford Springs, Connecticut. Police Officers that were, "Town Clowns", and State Police Troopers seemed to know that they would have increased powers after an "event". Connecticut is ground zero for the world's money managers, entertainment, and there are quite a few moguls who have their castles in Connecticut. Many top FBI, law enforcement, lawyers, judges, etc have ties to Connecticut and to Yale University in New Haven. So, classified plans may have filtered down to officers on the beat.

Informants were out to identify citizens who had firearms or who would be politically active "resistance leaders". Writing critical of Connecticut's courts and the quality of, "Protection and Service", put me on that domestic spy on, follow around, and ruin list.

Cops were bragging that, "A new time is coming", meaning they would have even more power, greater numbers, and virtually no oversight. I thought it was bold talk in the mid to late 1990's. What officers bragged about has come true, beyond my wildest imagination. Most of the public seems blind ...

July 16, 2010

The NSA's Perfect Citizen

The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program.

The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said.

No reason to be alarmed, though. The NSA claims that this is just research.

They are connected to the internet to enable remote management and alarming. This way they can email/page the relevant people when they have an alarm triggering problem. It also makes it much easier for them to set up a new home base for management if a natural disaster makes their operations center unmannable.

As for why those connections aren't better secured, the same reasons every other network isn't properly secured apply.

The name is pretty bad. How about utilwatch? Infragard--oh that's taken.Maybe you can have a contest to come up with a better name.

Worse yet, if they stick it under a national security label nobody will regulate or clean up problems. The government doesn't even regulate the contractors on DOJ funded Patriot Act "watch" jobs for crying out loud.

Even if Perfect Citizen is for research what will the contractors do with the results of that research? Look at the domestic spying game, false positives get dragged on and on because it lines someone's pockets and NSA or whoever gets garbage for data. Nobody audits the phone tap/wiretap info but the folks getting the money. Then someone gets paid to store that garbage data in a warehouse. Nobody audits the data, nobody watches the contractors. So imagine how this sort of research can be misused by federal contractors/subcontractors and you'll get the big picture. Local jurisdictions get a ton of cash to keep false positives going.

Its not going to be a police state, it is going to be federal contractors watching and not reporting to the police. Nobody turns their own in for misconduct or fraud.

Both FERC and NRC have already issued cybersecurity regulations for utilities and nuclear plants. Seems like FERC and NRC regs would prohibit installing a NSA back door.Also, there's some very uptight software QA requirements to meet. Would NSA disclose their source code to the companies that would have to install their bots?

Maybe it's just me, but it seems like we're becoming excessively paranoid about the NSA. Yes, if they are actually doing something they shouldn't be doing, that's cause for concern. But stupid project name aside, "putting sensors on critical networks to detect intrusions" sounds pretty benign to me. In fact, it sounds like exactly the kind of thing a large number of companies (including BT) do for their customers or themselves. Is THAT "surveillance" too?

Given past issues, keeping a careful eye on the NSA and the government as a whole seems pretty reasonable. But jumping all over EVERYTHING they do just serves as a distraction from any real issues that might come up.

"A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past..."

Now who else feels like screaming "mission creep"?

You always know you are in "deep do do" when the excuse is "it' no worse than XXX..." whilst forgetting to mention "No it's a lot worse because it's in addition to XXX" and "people are already taking action over XXX".

If this is to be paired with the internet kill switch (http://www.schneier.com/blog/archives/2010/07/internet_kill_s.html)...well wouldn't that make for an interesting DOS attack. Launch an attack on a piece of protected infrastructure, then watch as the Perfect Citizen trips the kill switch...

I can see the monitored companies getting a wee bit nervous...after all, they'd be exposing their business practices to scrutiny by the government. And if the government didn't quite get its own security right, their data could be hacked or leaked to hackers or competitors. But in a certain sense, I think there's a public benefit to ensuring availability of critical infrastructure.

In this particular instance, I don't see much to object to, except possibly the name of the program, which admittedly does sound rather Orwellian.

And, Recovery Act money is financing license plate readers (cameras) for Texas Law Enforcement. These devices are being installed across Texas according to Grits for Breakfast and The Texas Observer. The data is kept for a long time. Seehttp://gritsforbreakfast.blogspot.com/2010/07/...

So, if an attack is made on the power grid, the remote management and alarming systems kick in. Unless the remote management and alarming systems are, like, ya know, plugged into the same affected power grid.

Maybe the remote management and alarming systems should be off the grid.

Hm, maybe we ALL should be off the grid.

Nah, that'd actually make sense and give us much better things to do with our money than prop up the energy industry.

If we can't trust the industry to protect their own systems, someone needs to do it for them. We all rely on the power system (which is why it's "critical infrastructure"), so it's in the public interest that it be defended.

The FBI created InfraGard to share information, but if experts still think that we're not doing enough to defend our critical systems, what other options do we have? I'm not entirely comfortable with the NSA being in charge of it, but they obviously have the experience.

It's easy to criticize, but does anyone here have a better suggestion?

Is there any indication that the name is so ominous and bureaucratic in order to hide the fact that it's an unattainable goal and will be ultimately unsuccessful? This would be an inversion of the "Pythian slip" mentioned above (great phrase, btw), with the purpose being some boondoggle that may accomplish 20% of its objectives (if it even really has any).

@Shadowfirebird> "But, why is the US power grid connected to the internet again?"

Most governmental, industrial, financial and other information systems have been interconnected in preparation for the big announcement. (No, not a fix for iPhone antennas)In the very near future I will be unveiling and activating the full system that PC is only a small part of.Since the Perfect Citizen name did not go over so well, I'm going to come up with a new one for the full system.Due to contractor requirements, it will start with the letter C. And it should mean "large". I'll think of something.Dr. Forbin

"If we can't trust the industry to protect their own systems, someone needs to do it for them."

Err hmm I think the industry can quite easily protect their own systems. It is a question of "incentivising the alocation of resources".

In a free market there is little if no incentive to invest in any kind of security because it does nothing for "short term stock holder value".

And as the average executave life is (supposadly) 18months anything that does not show a proffit or other advantage to a senior exec within that time frame is not going to happen. In fact anything that does not make two quaters away look good is not going to happen.

One of the joys of a free market is that employees are also free to come and go, thus the higher they get in managment the more likley they are to take significant risks with the company as a bet on their personal future, not that of the company or the stock holders.

If you are very short term greedy as most stock markets are then this is not an issue for you as you are going to be "in-n-out" taking your profit and leaving the loss to the next guy (as at some point a loss there will surely be). It is a clasic hot "potato game" the person left holding the potato gets burnt...

But for those in for the long term (like most US employees retirment funds) you do not want this short term behaviour, nor for that mater does the US or other national economy want faux boom followed by real hard bust as we have recently seen.

If we literally take "a leaf out of nature we find that systems are rarely more than 60 percent eficient because the plant reserves resorces to defend its self against the future uncertancies.

"Maybe it's just me, but it seems like we're becoming excessively paranoid about the NSA"

They actually encorage it by there behaviour most of the time. Which is a shame because they actually do some very good work and make it available for all (yup even those outside the USA).

However with regards to,

"Yes, if they are actually doing something they shouldn't be doing, that's cause for concern."

Err you missed out on "If what they are supposed to be doing is cause for concern".

Their chief scientest is on the record as saying "you can never have to much data" it's a very large indicator of their mind set backed up by their known but not well publicized developments in storage technology.

Which is a hugh indicator of a problem that is starting to turn around and bite the private individual.

When you have a large collection of data you don't leave it in the filling cabinet to gather dust irrespective of if you are an "oh so secret organisation" or a "Mom-n-Pop Sweetie store".

You use it to make a profit on otherwise there is no point in collecting it let alone keeping it...

Now I'll leave it up to you to decide what the NSA regards as profit but I'm sure it does not align with old style business profit.

Now with any agrigation of information there is the issue of granularity, the more granular it is the less usefull it is for making profit.

That's because the more data you have the more statistical inferences you can make about it and test on "known parts" of the data.

The profit potential is exponentialy proportional to the inverse of the granularity, as Google and many many other "analytics organisations" know.

Now ask yourself the question do you realy want the "sensors" the NSA would like to deploy being in your house?

After all it is part of the "network" and as we know various politicos are trying to get "house level" control built into the network as part of "green initiatives" (and yes Raytheon the prime contractor is working on those initiatives, it potentialy has huge profit in it).

I suspect that from your comment,

"In fact, it sounds like exactly the kind of thing a large number of companies(including BT) do for their customers or themselves. Is THAT "surveillance" too "

Means you have fallen into the "granularity trap" of thinking the 20,000ft view not the 2inches from your nose view.

Which also gives rise to the question,

Do you remember phorm?

I'm sure a few BT execs wince when they hear the name after the backlash it caused...

Connecticut just announced they are discontinuing the use of windshield registration stickers (that replaced the license plate ones) to save $800,000/year, on the explanation that the State Police license plate readers are more effective.

I suspect their spending more then $800,000/year on that technology.

(And the tin foil wearer in me says it's really to help people forget to renew more easily, so they can rack up more revenue on fines and late fees...)

"that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system"

And just how do you detect "unusual activity" when you AREN'T "persistently monitoring the system"? Does the word "baseline" ring a bell?

This just makes no sense. Which means it's a total lie like everything else coming out of government these days. They don't even bother to try to make up decent stories any more, such as the utter crap spouted about the Iranian defector, none of which makes any sense.

There should be a Constitutional Amendment that says any government official at any level right up to the President who is caught knowingly lying to any member of the US electorate should be instantly stripped of his job, prosecuted and if convicted must pay his last year's salary as a fine.

You have a great point about the lack of business incentive for security. However, I think we both agree that the fundamental structure of corporate America will not change in the near future. With that in mind, how can you incentivise security?

"I guess this is just me being dumb. But, why is the US power grid connected to the internet again?"

Because as dumb as you get, the people who own utilities are dumber. Having worked on the SCADA system attached to a major T&D operation's substations, we fought tooth and nail to keep everything in that system physically isolated from the corporate network, which was effectively on the internet, and we lost every fight to upper management.

@clive. I agree with you that profit motive, information that could be useful later being saved, and short-sighted management goals are most of the problems.I have a reflex reaction about trusting organizations like the NSA. With the caveats that they know more than we do about risks, etc. and that they do have a job. They do things secretly with oversight that is not known to us by definition. That is probably why people get nervous about things like this.It is hard to believe an organization like wall street firms are going to do the right thing everytime when they could make a lot of money in a quick deal or a longer manipulative scheme. Very few have gone to jail, just as politicians haven't yet.Is it any wonder people are suspicious of what we are being told? The american people do not like seeing the system acting unfairly and that crosses all of the ideological spectrum.As an aside, the only name that would have been worse would be to get it over with and call it SKYNET. (Somebody Knows You're Not Exactly Trustworthy) by the powers that be...at least as they define it.....;)

Sounds pretty Nazi to me. The name alone is ominous and nonsensical. Where do I get my Perfect Citizen Badge or Bumper Sticker? More psychological fear tactics.

So much for a Free Society.

And what a joke when you consider the US trashing of Soviet and Chinese strategies over the years--this is an idea stolen straight out of Cold War propaganda.

Are those guys really getting paid for that kind of silliness? I'm outta work, maybe the NSA should hire some of us to evaluate their crazy ideas. The Perfect Citizen project would be canned if that was the case. I usually respect the NSA, but this idea makes them sound desperate and dumb, and mean too.

Sorry for the delay in the reply but my answer is going to be both long and somewhat off topic of the thread.

With regards to your comment,

"America will not change in the near future. With that in mind, how can you incentivise security?"

That as they say is the rub...

Security comes in a number of flavours so I'm going to be general not specific.

Firstly the view from a senior managers position,

A "tangable" infrestructure investment is an outright loss in the initial stages of the investment. At some point it reaches a break even point after which it shows a profit for the rest of it's use.

However as a general rule of thumb newer technology becomes more "efficient" with time and older technology requires increasing maintanence so combined it's running cost goes up.

Thus the two curves when combined give you a "bath tub" curve which defines the profit life of the investment.

It is however not clear if an "intangible" infrastructure investment (such as ICT security) follows the same curve or infact if it will ever present a return which presents a significant dilemma.

Which coincidently is effectivly the same as the R&D dilemma giving rise to intellectual property such as trade secrets and pattents. And can be expressed as,

"what is the probability of a return -v- sunk costs".

This boils down to a time related gamble...

The longer the problem is left the higher the probability is it will go wrong. In the case of R&D somebody else gets their patent in first, in the case of security the probability that your ICT will be attacked in a particular way if you don't mitigate against it.

However all spending initialy reduces profit or short term shareholder value. So in the short term all investment in security or R&d is a compleate loss.

Even in the longterm some investment is so risky that it's like betting on a three legged horse and hoping the other horses get eliminated...

Thus with security and R&D there is little certainty the investment will pay of in the medium or even longterm.

Then there is also the issue that security spending is like defense spending you cannot show that you've spent to much only to little...

And then there is the difference between physical security and ICT security which boils down to a question of locality risk probability.

With tangable assets the risk goes up the more people there are local to it. Thus a gold brick in the middle of dense jungle is probably more secure than in a vault in a Bangladeshi bank (Bangladesh supposadly has the highest population density per SqKm).

Further with a tangable asset there is only one place a person can be at any one time and only so much unaided effort they are capable of. Which means they have to have physical force multipliers to do more than a very small minimum damage at any one time. Physical force multipliers tend to be expensive and thus act as a second constraint on tangible assets.

With intangable security there is no distance everything is local, and force multipliers are at near zero cost. Thus one attacker can effectivly attack in all places at the same time.

Which means there are few if any models to use to define the return on ICT security investment...

The only one being that risk goes up with time and thus you would be entering a "Red Queens Race".

However the way a manager will see this is at zero time there must be zero risk, and thus minimal risk short term (which is just not true).

All of which says to a manager it's "all sunk costs" within a short time frame, but importantly it comes out of his apparent performance not the companies bottom line...

Which is going to make it a virtual impossible sale to "short term" managment.

Therefore I would say you need to mitigate or get rid of the short term viewpoint, or as engineers would say "dampen the response".

Short term profit is mainly made in a rapidly changing or chaotic market. Thus it's in the interests of traders to keep the market rapidly changing,

But for most people that is not true they want moderate change that alows average growth over a reasonable time frame.

Which gives rise to the question,

"how do we achive this?"

There are easy but flawed answers such as "legislation" but sticks only work so far befor the beast turns around and bites or runs off somewhere it does not get beaten (which is one major reason for foreign outsourcing). Likewise carrots are just another reward system that pales after a few bites, and becomes exponentialy expensive for the reward giver.

Also we have tried legalistive sticks (SarbOx) and membership rules (PCI), and we already know they do not work.

All they do is set up a "faux audit market" place. Where the "security policy" from above is not "to be secure as best we can" but to "meet audit".

Then there is the question of the "how of an audit", the company being audited "selects and pays the auditor" thus an auditors income is based on what companies are going to select them by...

Which is the classic "conflicts of interest" issue that dogs "free markets" and economists by and large ignore.

Thus we have seen auditors turn blind eyes in finance for many years so much so that company audit reports are virtualy worthless to anybody seaking information on if they should invest or stear well clear (Enron for instance, or toxic mortgage contracts). And it was this that gave rise to SarbOx which was virtually a blank invitation for the audit industry to fill in as they wished that would be passed into law without question.

The fact that even the audit industry says it does not pass first base on it's stated aims and objectives says a lot about where the audit industry sees it's responsabilities at the senior levels.

One argument that has been sugested is to use the tax system to make short term systems unatractive to investors. In the UK we have "Capital Gains Tax" which basicaly assesses the tax owed on a sale based on the difference between the buy and sell price. However it is to simplistic in it's approach due to other tax law alowing loop holes.

One nice thing about CGT was the "tapper" that was the tax due on a sale went down on a year by year basis and after a period of years there was no tax to pay.

Another more recent idea is to pay executives a small basic pay and then lock the majority of their renumeration in to the long term performance of the company.

I'm not suggesting that this is a solution because I can see many issues and problems with the ideas.

But I do know one thing we need to discuss options no matter how odd whilst there is still time to do so, otherwise we will end up in a position we most definatly not want to be in where only criminals thrive.

@Alex Bond "not entirely comfortable with the NSA being in charge of it, but they obviously have the experience"

Problem with intelligence agencies in this role is that they are in conflict against the integrity of the system. In the intel world you exploit, deny, or deceive.A commercial firm has one goal up-time. If the NSA or any other intel agency were in charge then they might allow an attack to proceed in order to better assess the nature and capabilities of the attacker. One of their 'customers' may have to die that others survive.

A Bank doesn't want to know that there are attackers who can burn through their vault in Paris. They want their controls to deter all attackers.

"how can you incentivise security?"Regulation and mandates is one way. We've only been doing it 10 years so I say it's too early to judge it's effectiveness.

I am reminded of Ford Motor Co and this guy they hired Named Robert Strange McNamara (may he burn). McNamara was wild about numbers and passionate about "Safety". Executives at Ford kept telling him that Safety doesn't sell. No one wants to buy safety. He was able to improve the safety of cars made by Ford.

So I'd say it starts with getting people passionate about security into board meetings and they have to have the financial tools to be able to represent their case in the organizations budget.

@EH "it's the NSA, what reason to they have to publicize anything?"They didn't. Some reporter somewhere sticking their nose in forced NSA to explain themselves. Good on them.

@jacob's point about oversight and accountability is well said. The NSA doesn't answer to their 'customers' and have been shown that they can be bullied by well placed senior government officials.